Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search affinity for non-multisite cluster

oliverj
Communicator
‎05-24-2017 07:35 AM

I have 2 locations, and not a ton of resources. Multisite clustering took too much -- it seems like I need at least 3 indexers (or maybe it was 2 per site). But, I only have 2 indexers, so I decided a multisite cluster was more then I needed. Instead, I set up a basic index cluster that I was hoping to have span multiple locations. Main goal = data safety. 2 copies of active splunk indexes, plus backups at each location looks to be exactly what I need.
alt text

But, my pipe between sites is pretty limited. Ideally, my search head would be tied to a specific indexer, so I am not trying to pull data across sites. I looked at affinity (but that is multisite only) and distributed search (but that is non-cluster only). Is it possible to restrict my SearchHead1 to only search Indexer1?

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

oliverj
Communicator
‎05-24-2017 10:54 AM

It seems I was wrong about not being able to use multisite clustering with only 2 peers.
I found this thread, which indicated that I need to override the default replication factor of 2.
By adding in the 

replication_factor = 1
search_factor = 1

In addition to:

site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2

I was able to successfully start the splunk process.
Now, I should be able to set up a searchhead at each site, with affinity for its own site instead of searching across both indexers across the net.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

oliverj
Communicator
‎05-24-2017 10:54 AM

It seems I was wrong about not being able to use multisite clustering with only 2 peers.
I found this thread, which indicated that I need to override the default replication factor of 2.
By adding in the 

replication_factor = 1
search_factor = 1

In addition to:

site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2

I was able to successfully start the splunk process.
Now, I should be able to set up a searchhead at each site, with affinity for its own site instead of searching across both indexers across the net.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...